[debian-mysql] Bug#682210: CVE-2012-1735 CVE-2012-0540 CVE-2012-1757 CVE-2012-1756 CVE-2012-1734 CVE-2012-1689

Clint Byrum clint at ubuntu.com
Fri Jul 20 14:34:25 UTC 2012 

Excerpts from Moritz Muehlenhoff's message of 2012-07-20 03:17:16 -0700:
> Package: mysql-5.5
> Severity: grave
> Tags: security
> 
> New MySQL security round:
> 
> http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
> 
> CVE-2012-1735    MySQL Server    MySQL Protocol    Server Optimizer    No    6.8    Network        Low    Single    None  None  Complete  5.5.23 and earlier   
> CVE-2012-0540     MySQL Server     MySQL Protocol     GIS Extension         No     4.0     Network     Low     Single     None  None  Partial+  5.1.62 and earlier, 5.5.23 and earlier   
> CVE-2012-1757     MySQL Server     MySQL Protocol     InnoDB             No     4.0     Network     Low     Single     None  None  Partial+  5.5.23 and earlier   
> CVE-2012-1756     MySQL Server     MySQL Protocol     Server             No     4.0     Network     Low     Single     None  None  Partial+  5.5.23 and earlier    
> CVE-2012-1734     MySQL Server     MySQL Protocol     Server Optimizer     No     4.0     Network     Low     Single     None  None  Partial+  5.1.62 and earlier, 5.5.23 and earlier   
> CVE-2012-1689     MySQL Server     MySQL Protocol     Server Optimizer     No     4.0     Network     Low     Single     None  None  Partial+  5.1.62 and earlier, 5.5.22 and earlier    
> 
> The advisory is confusing, I'm not sure which upstream version fixes these
> issues. I'm afraid we'll have to update to a new upstream, though.
>

No, these are just delayed notifications of bugs fixed in 5.1.63 and
5.5.24.  We already have those in stable-security and testing. Part of
the shell game they seem to play is to release the fix before the low
priority notifications (notice these are all low).

> Maybe we can switch to a FLOSS-friendly fork like mariadb after Wheezy
> release...

That sounds good, but it really won't work.

First, MariaDB and Percona Server are not forks. They are
derivatives. They share code back to mysql, and they take every bit of
code mysql puts out and apply their delta to it.

Because of that model, they are in the same boat as we are. In effect, our
lightly patched, different built MySQL is a derivative too. All of us must
take all the changes they give us and try to evaluate them for urgency.

More information about the pkg-mysql-maint mailing list